On Tue, Oct 13, 2015 at 09:02:01AM +0200, Dieter Klünter wrote:

Am Mon, 12 Oct 2015 16:13:18 -0500 schrieb Kartik Vashishta kartik.unix@gmail.com:

...

Team,

I am not anything but new to ldap. I have however successfully installed and configured Openldap on CentOS7. Online material was a BIG help.

I am trying to figure out how to allow users to change their own passwords.

Googling pointed me out to this: access to attrs=userPassword by self write by anonymous auth by users none

access to * by * read

But where and how does this get input into the ldap db. There is no more a slapd.conf.

slapd-config(5)

Also http://www.openldap.org/doc/admin24/access-control.html#Access%20Control%20v...

I would suggest changing the access list:

olcAccess: to attrs=userPassword by self =wx by anonymous auth by * none olcAccess: to * by * read

The important change is the 'self' access. If you use 'write' then you are also granting read access, so someone who gets control of an authenticated session would be able to read the user's password. By using =w or =wx you allow passwords to be changed and to be used in authentication, but you prevent them being read.

You will need to search your config to find the appropriate entry to add the above values to. It will be something like olcDatabase=mdb,cn=config

You should also configure a strong hash function for passwords, and ideally you should install a password policy overlay to enforce password hashing. The choice of hash function depends on the libraries available in your operating system. SSHA is always available but is very weak in the face of a password cracker. The Linux/FreeBSD/OpenBSD '$1$' '$6$' and '$2a$' hashes are very much stronger. Config looks like this:

olcPasswordHash: {CRYPT} olcPasswordCryptSaltFormat: "$6$%.12s"

It should be added to the olcDatabase=frontend,cn=config entry.

Andrew